{"vulnerability": "CVE-2026-11525", "sightings": [{"uuid": "1a6603a6-7f60-4539-8209-94f722390f0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11525", "type": "seen", "source": "https://bsky.app/profile/ulisesgascon.com/post/3moitvr3dbc2g", "content": "\ud83d\udea8 Low-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released!\n\nPatches CVE-2026-11525. undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching.\n\ngithub.com/nodejs/undic...", "creation_timestamp": "2026-06-17T17:34:09.494193Z"}, {"uuid": "016e2496-f040-4be0-b114-72d72ce6c4d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11525", "type": "seen", "source": "https://bsky.app/profile/nodeland.dev/post/3mol72ndrtt2r", "content": "\ud83d\udd35 Low: SameSite downgrade (CVE-2026-11525).\nSubstring matching meant `SameSite=NoneOfYourBusiness` parsed as `None` and `StrictLax` as `Lax`, silently weakening cookie policies. v6/v7/v8.", "creation_timestamp": "2026-06-18T15:59:06.190352Z"}]}